Can Banks Prevent the Next Cyber Attack?

Banks knew this past September's DDoS attack was coming, but were powerless to stop it. What can be done to prevent the next attack from succeeding?

Normally, if enterprise IT security professionals know about a potential threat in advance, they can take steps to mitigate or prevent the damage.

However, when the Izz ad-Din al-Qassam Cyber Fighters telegraphed their pending action against major US financial institutions in September, banks were not able to stop the distributed denial of service (DDoS) attacks, resulting in some disruptions to banking websites and the ability for customers to access information and complete transactions.

While it was alarming that the DDoS was not able to be prevented, often these types of actions are used to by hackers to gather information and expose vulnerabilities. During the panel session "When State-Based, State Sponsored Actors Target Financial Institutions," participants said the DDoS was likely also an attempt to gather information and expose gaps in the banks' security perimeters.

"DDoS attacks are battering rams on the front door," said Carl W. Herberger, vice president, security solutions, Americas at Radware. "Once you break down the front door, and the associated security devices, an attacker can have free reign inside the organization." For instance, the 2011 Sony data breach started as a DDoS, but "eventually resulted in the leakage of usernames, passwords and credit card information," Herberger added.

Luckily for the global economy, this September's attacks against the banks, which targeted Bank of America, JPMorgan Chase, Wells Fargo and PNC Bank, did not impact some of the industry's critical shared infrastructure. "If the DDoS broke into the clearing banks and froze their systems, the global financial markets would freeze," McConnell said, which could cause financial panic, such as a run on banks and wild swings in the financial markets.

The September attack was most likely sanctioned by the Iranian government, according to McConnell, which raises the threat level and calls into question what response other nations should have to these types of attacks. Comparing a cyber attack to a natural disaster, Andy Ozment, senior director for Cybersecurity, National Security Staff, The White House, said that private industry, not the government, is usually the first responder to cyber attacks. "We are debating the level of government involvement," Ozment said. "The question is at what point does the federal government get involved. In all cases the federal government has to be invited to help by the companies. A lot of firms are uncomfortable with this, and that is understandable."

However, now that other nations are targeting the US and private industry, other panelists questioned if the US government should take a more proactive approach. For instance, argued Dimitri Alperovitch, co-founder and CTO of CrowdStrike, if Iran was to blockade shipping lanes and impede commerce, diplomatic followed by military action would be realistic options.

"I don't see that the government is understanding what the severity of these threats are," Alperovitch said. "If we don't respond with a message of deterrence, this will continue. It may take the adversary 10 tries and we may block 9 of them. But on the tenth try, they might succeed."

McConnell, who served in the intelligence community under four presidents, warns that taking action against economic cyber espionage, such as the DDoS attacks against the banks, can cause other problems. "The US does cyber espionage and we are the best in the world at it," he said. "But the US does not do economic espionage. We are a free market" and taking those types of actions has broader implications.

"The US certainly has the ability to break in and destroy" all types of systems and data, McConnell added. "I have been in lots of policy discussions about this. But if you go on the offense, what are the secondary and tertiary effects. The US is more dependent on technology than anyone else in the world. That's the policy dilemma. We are relying on technology, but we are far more vulnerable" than many of our adversaries.
Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio